I don’t like creating new terms for things in cybersecurity that already exist, so I’m on thin ice with that title. But hear me out.
Attack Surface Management (ASM) makes sense to me. “You can’t manage threats” is one of the fundamentals of cybersec that companies and organizations have forgotten. While we can’t manage threats, we can certainly manage how we view them, respond to them, and structure our technology and security. ASM is often further divided into external or internet-based external attack management (EASM) and internal or asset-derived cyber attack management (CAASM). I think these are interesting differences not because the technology between them is different, but rather it hints that the purpose of the surface is to differentiate.
ASM forces us to turn the camera from focusing on the villains to looking at ourselves. This is exciting because it makes it harder for attackers and makes them more visible sooner. The weakest link in ASM was the ability to act, especially in any reliable automated way. Hold that thought and let’s talk about the safety position for a moment.
Safety Hold and ASM
In parallel with ASM over the last two years or so, the development of real-time security state assessments has been taking place. A security posture has taken information about entities and produces an estimate (ie not just data) and often a result about how much trust can be placed on that entity.
Examples include assessments such as “although this identity is valid, don’t trust it because the email account associated with it was leaking malware”, “this machine is a little behind on patches, but has been contacting other machines in an atypical way”, or “none of these 15 indicators is suspicious on its own, but together they have a very high probability of meaning that this is an early indicator of an XYZ attack”.
I especially like the term security posture because so many risk assessment tools are bad and give risk management a bad name. But a safety posture equals risk management. The good news is that since it is focused on near-real time and used by SOC, it was developed with automation in mind.
How ASM relates to business
Apart from the poor ability to act with ASM per se, ASM often seems to lack an element of quality: how does this relate to our business? This was unachievable as data categorization and security were heavily weighted towards compliance labels, and the ballooning of cloud data and data management advanced faster than cybersecurity’s ability to understand the security context and make it actionable.
We may have been better at the latter than the former, but it was honestly weak. Machine learning (ML) has advanced enough that high-fidelity security categorization of data is now very feasible: understanding what that data means for your business, using only manually derived coarse compliance classification boundaries.
Let’s consider an example. The endpoint is being tested. One patch is out of date. Many views of risk would stop there and assign a value. From a business perspective, more context is needed before risk can be meaningfully assessed:
1. What actions have been observed via telemetry since the last patch was available? Was it used to distribute emails that could be internally phishing or in a way to generate IOCs consistent with known attack groups that were observed exploiting the vulnerability?
2. What is the user’s role? is it someone who would otherwise benefit from valuable or sensitive data, even if the telemetry shows that the sensitive data does not appear to have been compromised yet? What is the real significance of the data being accessed?
3. What is the behavior or health of these user identities? Even if they were not revoked, were the credentials associated with somewhat unusual activity – activity that is not at the level of a serious alert, but not consistent with normal behavior?
4. What network activities has the user been associated with, including activity on other endpoints and devices? What is the nature of that communication and did it involve other users or devices with escalating levels of sensitivity and thus risk?
So if we combine ASM with data security categorization and security posture and make it as effective as possible, we can have beautiful things again: managing the business attack surface. In other words, understand how important things and data are to our business, and their vulnerability to attack is real assessment our business risk. Then, in making this assessment workable, especially in as automated a way as we want, we have a real risk management or business attack surface management.
Next steps
For information on the attack surface and cyber risk management, see the following resources: